New ICIJ report: Cypriot loopholes helped build one of world’s most notorious spyware firms

A new report by the International Consortium of Investigative Journalists (ICIJ) claims an Israeli cyber-surveillance tycoon and his attorney ex-wife exploited Cypriot loopholes to build one of the world’s most notorious spyware firms.

According to the report, when Larnaca International Airport updated its WiFi system back in 2019, the company that installed the new equipment also set up three access points that stole personal information from over 9 million mobile devices that passed through Cyprus’ main travel hub during that time.

“The company responsible for this data theft was owned by Tal Dilian, a former commander of an elite Israeli intelligence unit turned cyber arms dealer,” it goes on to claim. “In intercepting data from Larnaca airport, Dilian was biting the hand that fed him: He had become fantastically wealthy by basing his cyber-surveillance business in Cyprus, using the island to export spyware around the globe.”

ICIJ claims Cyprus’ regulatory oversight over spyware firms is lacking – in stark contrast to the strict rules in place in the EU – and this is what enabled Dilian and his business partner and ex-wife, Sara Hamou, to create one of the world’s most notorious spyware firms.

“ICIJ has reviewed more than 1,800 emails written by Hamou contained in both the Cyprus Confidential leaked records and Pandora Papers documents. They reveal her efforts to conceal the activities and ownership of a network of firms that spread surveillance technology — which has been used to muzzle journalists and government critics — worldwide. The emails also show Hamou’s involvement in managing legal issues related to implementing surveillance projects in Europe, the Middle East and Asia.”

While Dilian has been a well-known figure in the private cyber-surveillance industry for over a decade, Hamou, a lawyer based in Cyprus, has largely avoided public scrutiny, the report claims.

However, it adds, “An ICIJ review of leaked records from Cyprus Confidential and the Pandora Papers, as well as public corporate documents, shows that she has sat on the boards of more than 20 companies with ties to Dilian. She held ownership stakes in at least three of those firms and has also owned another three companies, all connected to him.”

A May 2023 report by the PEGA Committee, which was established by the European Parliament to investigate spyware abuses, described her as a “central figure” in an “intricate network of companies” linked to Dilian — a corporate alliance known as Intellexa, ICIJ said, adding that Dilian and Hamou did not respond to repeated requests to comment on this story.

Intellexa’s spyware, which is called Predator, turns a phone into a device that spies on its owner. It is designed to gain access to any data stored on, or transmitted from, a device — messages, calls, photos and the phone’s microphone.

“Predator has been found in at least 25 countries, according to a European Investigative Collaborations investigation published in October,” ICIJ said, further claiming that it has been sold to “some of the world’s most brutal regimes”, including a paramilitary group in Sudan, the Egyptian intelligence services and the Vietnamese government, which “used the technology to try to hack the phones of US officials”.

Intellexa’s clients also include EU member states, which have used Predator to muzzle dissent at home, it said. After being forced to relocate the company’s operations to Greece after the revelations about data theft at Larnaca airport, Dilian soon became embroiled in another scandal: Predator was found to have infected the phones of a prominent Greek journalist and an opposition politician. This sparked a public uproar and parliamentary investigation, and prompted the United States this summer to blacklist two companies that sell Dilian’s spyware, the report adds.

It claims Dilian has avoided the fallout from these scandals, thanks in large part to Hamou’s efforts. “The Cyprus Confidential documents show that she took possession of a company worth over $2 million from Dilian in the past year. They also show how she built a far-reaching corporate network to develop and sell spyware that reportedly stretches across Europe, from North Macedonia to Hungary to Greece to Ireland, and has shielded Intellexa from would-be regulators. As a result, the spyware conglomerate continues to do a booming business.”

The complexity of this corporate network appears to be a tactic used to slip through the cracks of EU regulations, it said citing Sophie in’t Veld, the rapporteur of the PEGA Committee, which issued the EU report on spyware, who said: “It is like a smokescreen. It is a method they apply to stay under the radar,” before adding, “It is untenable that Intellexa is on the blacklist in the U.S. and gets the red carpet treatment in Europe. The walls will close in on them. But not today, that’s very obvious”.

Further down, the report refers to Hamou joining Trident Trust, a global provider of corporate services, in December 2008. “Trident Trust was charged with setting up a corporate network for Dilian’s first spyware company, Circles. While the company was based in Cyprus, leaked documents from the Pandora Papers show how Trident Trust’s attorneys, including Hamou, created a complex partnership between seven British Virgin Island-based companies that served to conceal its owners’ identities — the sort of intentionally opaque structure that Dilian would later rely on with Intellexa.”

As for Dilian, ICIJ mentions that his base in Cyprus was an important factor in his corporate success after establishing his business operations on the island in 2008.

As it said, Israeli cyber-surveillance companies, which are largely run by veterans of its military and intelligence communities, need to win export licenses from a branch of the Israeli Defense Ministry that assesses whether foreign sales would harm Israeli national security or its international standing. “Cyprus gave Dilian the ability to sell his spyware without seeking the approval of Israeli regulators while still allowing him to return frequently to his home country to recruit hacking experts as they exited Israel’s national security establishment,” it said.

The report mentions former presidential adviser Marios Droushiotis’ book

The report also mentions Makarios Drousiotis, a Cypriot investigative journalist and former presidential adviser, who wrote in his book “Mafia State” that the head of Cyprus’ intelligence services told him in 2019 that there were 29 Israeli-owned surveillance technologies companies operating on the island.

“Hamou built a corporate network for Intellexa that extended far beyond Cyprus,” ICIJ said citing a lawsuit filed in Tel Aviv district court in 2020 by one of Dilian’s former business partners, Avi Rubinstein, which claimed that Hamou, alongside others, was working with Dilian to “smuggle” out assets from an Intellexa company to his detriment. “According to Rubinstein, they did so by establishing companies in the British Virgin Islands, Ireland, Greece, Switzerland, Italy, the Czech Republic and Spain.”

As pressure on Dilian grew as a result of the scandals in Cyprus and Greece, he also transferred a valuable company to Hamou’s ownership, the report claims. “One of the documents sent to Censura’s accountants, seemingly by mistake, is a letter signed by Dilian to the Bank of Cyprus authorising the issuance of two checks, for a total of nearly $800,000, from a company called Lusata Investments. The annual audit of the Cyprus-based firm shows that the company holds over $2.6 million in assets. Dilian and Hamou owned Lusata Investments jointly upon its incorporation in 2019, until full ownership was transferred to her in 2023.”

According to the report, Hamou played an important role in Cyprus’ transformation into a cyber-surveillance hub. “The leaked documents show how she assisted several Israeli executives, many of whom had clear business ties to Dilian, in moving their lives and businesses to the island.”

It also mentions how Hamou registered a new company, Maravilhas Solutions Ltd., in 2018, which was to “specialize in accessorizing and improving vehicles,” such as by providing phone and internet services. Hamou’s colleague expanded on the firm’s activities in correspondence with her accounting firm in 2020, writing that it “design[s] products for a specific project,” such as “car installations” or “suitcase development for hardware.”

The report concludes with a statement by in’t Veld, the PEGA Committee rapporteur, that the EU’s lack of interest in challenging its member states’ national security justifications for the use of spyware is an abdication of its responsibility to protect democracy and the rule of law. The European Commission “is basically saying, we’re not going to enforce the law,” she told ICIJ. “And that means Europe is becoming more and more of a gangster’s paradise.”